Executive summary of the Study

on the position of Spanish SMEs in

the face of risks and the
implementation of Business
Continuity Plans

Sponsored by:

INFORMATION SECURITY WATCHDOG

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans
Information Security Watchdog
Page 1 of 21
 Date of publication: September 2010

The “Study on the position of Spanish SMEs in the face of risks and the implementation of
Business Continuity Plans” was prepared by the following work team of the INTECO Information
Security Watchdog:

Pablo Pérez San-José (management)

Javier Rey Perille (coordination)

Laura García Pérez

Cristina Gutiérrez Borge

INTECO wishes to highlight the involvment in the fieldwork and research of this study and to
express thanks for sponsoring this printed edition to:

This publication belongs to the National Institute of Communication Technology (INTECO) and is under a Creative
Commons Spain 2.5. Attribution Non-Commercial license. For this reason copying, distributing and publicly disseminating
this work is permitted under the following conditions:
• Attribution: The contents of this report can be reproduced in full or partially by third parties, stating its source and
expressly referring to both INTECO and its website: www.inteco.es. This attribution may in no way suggest that
INTECO lends its support to the third party or supports the use made of its work.
• Non-Commercial use: The original material and the resulting work may be distributed, copied or shown, provided the
purpose thereof is not commercial.
In reusing or distributing the work the terms of its license must be made quite clear. Some of these conditions may not be
applicable if permission from INTECO as holder of the copyright is obtained. Nothing in this license impairs or restricts the
moral rights of INTECO. http://creativecommons.org/licenses/by-nc/2.5/es/

This document meets the PDF (Portable Document Format) accessibility conditions. It is therefore a structured, labelled
document, with alternatives for all non-text elements, set for language purposes and appropriate reading order.
For further information on the construction of accessible PDF documents please see the guide available in the relevant
section > Manuales y Guías at the website http://www.inteco.es
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 2 of 21
Information Security Watchdog
CONTENTS

CONTENTS .........................................................................................................................3

1 OBJECTIVES AND METHODOLOGY ......................................................................... 4

1.1 Introduction............................................................................................................4

1.2 Objectives..............................................................................................................4

1.3 Methodological design........................................................................................... 5

2 MAIN FINDINGS ..........................................................................................................6

2.1 Analysis of the security levels at Spanish SMEs ................................................... 6

2.2 Business continuity culture and knowledge of Spanish SMEs ............................ 11

2.3 Analysis of the levels of the adoption of business continuity measures or plans by
Spanish SMEs................................................................................................................12

2.4 Comparative analysis of the management of business continuity in Spanish

companies according to size .......................................................................................... 16

2.5 Business continuity best practices ...................................................................... 17

CONCLUSIONS and RECOMMENDATIONS ................................................................... 19

INDEX OF GRAPHICS ......................................................................................................20

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 3 of 21
Information Security Watchdog
1 OBJECTIVES AND METHODOLOGY

1.1 Introduction

In line with its aim to develop the Knowledge Society through projects relating to
innovation and technology, INTECO has published its Study on the level of preparation of
SMEs in the face of risks and their adoption of Business Continuity Plans.

This study emphasises the concept of Business Continuity which, in view of business
developments and national and international events, is being taken into account
increasingly in the strategic management of organisations, to the point of becoming a
necessity or at least a matter to be addressed.

Although there are numerous definitions of Business Continuity Management, they should
refer in all cases to a process aimed at identifying the potential risks threatening an
organisation and, for the purposes of prevention, at developing the ability to recover in the
face of situations entailing complete or partial interruptions to business operations.

1.2 Objectives

The overall objective of this study to analyse, on the basis of employers’ perceptions, the
levels of preparation, patterns of conduct, actual needs and main obstacles preventing the
adoption of measures, plans or strategies that enable Spanish SMEs to be better
prepared in order to guarantee the continuity of their business operations.

Our aim throughout is to propose recommendations of action for companies, the

information security industry and public authorities in order to raise awareness and
encourage compliance with the main indicators and public policies relating to the
Information Society in the field of information security.

Specifically, this overall objective comprises the following aims:

• Analyse the technological situation of security at Spanish SMEs from a business

continuity standpoint.

• Appraise the Spanish SMEs’ levels of culture and knowledge regarding business
continuity.

• Analyse the levels at which business continuity actions or plans have been adopted at
Spanish SMEs.

• Conduct a comparative analysis, from a size standpoint, of the status of continuity at

Spanish companies.

• Be apprised of the best business continuity practices.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 4 of 21
Information Security Watchdog
Lastly, using the findings of the study, a practical guide addressed to SMEs was drawn
up, containing guidelines and advice on the design and implementation of a business
continuity plan.

1.3 Methodological design

The methodology used to conduct the study and to publish this report was based on
surveys (conducted face-to-face, by phone or remotely) of Spanish companies with fewer
than 50 employees and at least one computer with an internet connection and also of
providers or experts in the delivery of services geared to ensuring the continuity of
business operations.

The various perspectives used in the study approach were:

• Types of companies from the standpoint of business continuity. 400 small and
medium companies, as well as micro-companies from all business sectors pursuant to
the 2009 National Classification of Economic Activities (CNAE-2009) responded to the
survey.

• Identification of SMEs with successful track records due to the use of good
practices in business continuity. A total of 29 organisations can be cited as
success stories, representing different situations in terms of whether or not they
adopted business continuity plans in respect of risk analysis, technological recovery
plans, implemented preventive security measures, etc.

• Perception of providers of business continuity services or solutions. Based on

these providers’ knowledge of the supply and demand in continuity services (for SMEs
and by them) and of the risks and threats facing them.

Our contacts with these groups, together with the prior study of various publications and
reports on business continuity (at domestic and international level) enabled us both to
verify the position of the sample under study (Spanish companies) and also to put forward
possible recommendations.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 5 of 21
Information Security Watchdog
2 MAIN FINDINGS

Set out below are the main findings of our study.

2.1 Analysis of the security levels at Spanish SMEs

This summary confirms what INTECO has been pointing out in several of its studies,
namely that Spanish SMEs consider that they are exposed to a large variety of security
incidents which nevertheless always include those relating to information security.

What type of security incidents have affected the SMEs recently?

43.3% of the SMEs that took part in the survey stated that they had suffered some kind of
serious security incident in the last three months, salient of which were service failure on
the part of providers (16.3%), computer attacks (11.1%) or support system breakdowns
(air-conditioning, electricity or communication lines (8.9%) (See Graphic 1):

Considering the number and variety of the security incidents that impacted the continuity
of operations one way or another, it may be considered likely that companies will be
affected by interruptions.

Graphic 1: Security incidents affecting SMEs in the last three months

The company has not been affected by any security incident in

the last 3 months 56,7%

Service failure by suppliers 16,3%

Computer attack 11,1%

Crash of support systems (air-conditioning, communication
lines and devices, etc.) 8,9%

Crash of systems/applications 7,4%

Fines, penalties 4,4%

Flood, earthquake, fire 3,6%

Loss of critical business data 1,7%

Absence of key personnel 1,7%

Physical damage to facilities/equipment 1,4%

Other 2,0%

Don't know/No answer 8,1%

0% 20% 40% 60% 80% 100%

Base: Total SMEs and success stories (n=429) Source: INTECO

This reinforces the point that you can never know what event might affect an
organisation, causing its activities to be halted, since such events largely depend on
the specific circumstances in each case.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 6 of 21
Information Security Watchdog
What were the causes that triggered the incidents?

When it came to identifying the main causes that could have triggered these security
incidents (see Graphic 2), despite the variety of responses, three reasons can be cited
(unawareness of the threat (6.9%), poor or obsolete system configuration (6.8%) and
inefficient associated prevention tools (3.1%), thereby confirming the premise that SMEs
may not be aware of the risks facing them and consequently, the measures adopted to
cater for such risks are not effective because they have an imperfect understanding of and
have not prioritised the threats they should be addressing:

Graphic 2: Reasons for security incidents (%)

Unaware of the threat 6,9%

Obsolete systems 3,7%

Incorrectly configured systems 3,1%

I had the tools but they were not effective 3,1%

I was aware of the threat but did not know how to

2,9%
prevent it

Poor advice 2,7%

I lacked tools to prevent it 1,6%

I was aware of the risk but did not have the budget
0,9%
resources

Other 10,9%

0% 20% 40% 60% 80% 100%

Base: SMEs that have been affected by some kind of security incident (n=372) Source: INTECO

Our detailed analysis of “Other” causes indicated by the respondents showed that most of
the companies that gave this response laid the blame on a failure in service by providers
(61.1%), who in one way or another help maintain the uninterrupted continuity of business
operations.

What response measures have been adopted in the wake of the incidents?

Our conclusions from an analysis of the level of implementation of security measures as a

response to incidents affecting SMEs that have been affected by an adverse security
event are:

• The organisations already have certain security measures in place. Mainly, they make
back-up copies (87.8%), acquire software or hardware (79.7%) and consult or seek
support from experts (79.2%).

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 7 of 21
Information Security Watchdog
• In the near future, SMEs intend to gain more knowledge of the business continuity
plans that can be adopted (25.4%), adopt measures to guarantee the continuity of
operations in the event of an emergency (22%) and enter into agreements with third
parties (18.9%).

• The study also revealed certain measures that the SMEs have not implemented and
do not intend to implement, such as adopting a risk management procedure (64.6%)
or hiring physical security services (64.6%).

Graphic 3: Security measures aimed at guaranteeing the continuity of operations

Make back-up copies 87,8% 12,2%

Acquire SW/HW 79,7% 0,3% 20,0%
Seek expert advice 79,2% 0,3% 20,5%
Replace equipment and/or communication systems 74,0% 9,2% 16,8%
Arrange insurance 63,6% 15,5% 20,9%
Fire detection/extinguishing systems 62,4% 37,6%
Adopt measures to guarantee continuity 62,3% 22,0% 15,7%
Hire outside advisory services 59,2% 0,4% 40,4%
Air-conditioning systems 53,8% 46,2%
Improve back-up copy procedure 52,0% 12,1% 35,9%
Find more information on the matter 45,6% 25,4% 29,0%
Enter into agreements with third parties 43,4% 18,9% 37,7%
Acquire new security product 40,1% 12,4% 47,5%
Acquire/lease alternative back-up centre 47,2% 10,9% 41,9%
Adopt risk management process 35,4% 64,6%
Arrange physical security services 35,4% 64,6%
Other 54,8% 14,5% 30,6%

0% 20% 40% 60% 80% 100%

Already implemented I intend to implement it I have not implemented it, nor intend to do so

Base: SMEs that have been affected by some kind of security incident (n=372) Source: INTECO

Are third-party service suppliers required to have security measures in place?

Based on the study, it does not appear that the surveyed companies are aware that the
continuity of their operations may depend considerably on their suppliers’ continuity
guarantees. As shown in Graphic 4, 72% of the small and micro Spanish companies
surveyed do not require their suppliers to provide any certificate or to comply with any
measures aimed at guaranteeing the continuity of their services.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 8 of 21
Information Security Watchdog
 Graphic 4: Companies demanding some form of evidence/certificate/measures/plans
guaranteeing the continuity of their suppliers’ services in the event of a disaster

9,3%
18,7%

72,0%
Yes No Don't know/No answer

Base: Total SMEs (n=400) Source: INTECO

The most common requirements demanded by the 18.7% that require their suppliers to
meet business continuity guarantees are:

• Minimum quality of service delivery (22.3%).

• Round the clock service, seven days a week, established in agreements with suppliers
of the most critical services or immediate response times (14.3%).

• Certificates or evidence of meeting security and/or continuity standards (14.1%).

• Contractual specifications (11.3%).

How can a degree of maturity be attained with respect to the risk management
processes that impact on business continuity?

The best way to adopt security strategies in line with the needs and actual situation of
companies is to base them on an understanding of the risks that threaten the continuity of
their business processes:

• Identify and prioritise the risks that a company should address.

• Determine the most appropriate security measures to be implemented, based on the

previously identified risks.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 9 of 21
Information Security Watchdog
From our initial analysis of the responses, 38.3% of the surveyed companies have a
management process in place which they use on a periodic basis to address the risks that
could affect the continuity of their operations, thereby demonstrating, at the outset, a
certain level of concern and proactive approach (see Graphic 5).

Graphic 5: Companies carrying out some kind of action aimed at addressing continuity
risks (%)

4,6%

16,1%

16,8%

71,2%
24,2%

38,3%

No
Don't know/No answer
Yes, but only occasionally and when the budget and workload permit
Only rarely
Yes, we have an optimised process, managed and reviewed regularly

Base: Total SMEs (n=400) Source: INTECO

What are the maximum interruption times that can be tolerated by SMEs?

In order to analyse the appropriateness of the security measures in place and the actual
continuity needs required by the various activity sectors, our aim was to identify, with the
SMEs surveyed in the study, the maximum time of inactivity, in the event of an
interruption, that could be borne without this having a serious impact on their finances,
operations or the company reputation (see Graphic 6).

Irrespective of the industry in question, 35.8% of the companies stated that they could not
allow their key activities to be halted, thereby underlining the critical importance of
adopting business continuity plans at any kind of SME.

Similarly, only 17.5% of the small and micro Spanish companies surveyed could tolerate a
standstill in their activities for more than five days without this having a serious effect on
the company.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 10 of 21
Information Security Watchdog
 Graphic 6: Maximum time for business activity interruption at SMEs

100%

80%

60%

40% 35,8%

22,6%
20% 17,5%
11,7% 12,5%

0%
Immediately More than 12 hours More than 24 hours More than 48 hours More than 5 days

Base: Total SMEs and success stories (n=429) Source: INTECO

2.2 Business continuity culture and knowledge of Spanish SMEs

Our appraisal of the findings regarding the level of knowledge of the business continuity
culture revealed, especially, the difficulties organisations had with gaining a clear grasp of
the key concepts in this connection.

Although 33% of the SMEs claimed to be familiar with the concepts of business continuity,
only 21.7% of these really knew the difference between the terms “Business Continuity
Plan” and “Disaster Recovery Plan” (see Graphic 7).

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 11 of 21
Information Security Watchdog
 Graphic 7: Companies familiar with business continuity concepts (%)

6,0%

12,5%

3,8%
33,0%

61,0%
16,7%

No
Don't know/No answer
Yes, absolutely
Yes, we have them for business management purposes but I am not fully familiar with them
I have only a vague idea, I have heard of them occasionally

Base: Total SMEs (n=400) Source: INTECO

These levels of knowledge and training in the subject are indicators that can be compared
with the findings of other studies at international level which reflect the lower interest in
and awareness of business continuity-related matters shown by Spanish SMEs.

• The highest level of knowledge was found at companies in the professional, scientific
and technical sectors (31.8%), and those engaged in technological activities (18.2%),
whereas companies in the education, healthcare or social services sectors showed
greater deficiencies in this respect.

• No quantitative differences in the levels of knowledge of SMEs were noted when the
analysis focused on the size of companies

2.3 Analysis of the levels of the adoption of business continuity measures or

plans by Spanish SMEs

As shown by the findings of the study, regarding the issue of business continuity, Spanish
SMEs are characterised by a general unawareness of what business continuity is and its
importance in their day-to-day operations.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 12 of 21
Information Security Watchdog
Which companies have defined some form of business continuity strategy?

The study concluded that 38.4 % of the SMEs stated that they had some form of strategy
that focused on ensuring the continuity of their business in the event of an incident or a
disaster. This group includes both companies that had defined strategies for the continuity
of their operations (16.7%) and those that had procedures in place solely to ensure
recovery on a technological level (21.7%).

Graphic 8: Companies with some form of business continuity strategy (%)

4,3%

16,7%

38,4%
57,3%
21,7%

No Don't know/No answer

Yes, prepared and implemented Yes, although it only allows the recovery of technology

Base: Total SMEs (n=400) Source: INTECO

There are various reasons why companies lack a formal plan, arising, to a large extent,
from difficulties or obstacles when it comes to the development and implementation of the
strategy. The fact that they consider the likelihood of a crisis or disaster occurring to be
remote, or lack the time, resources and/or budget are some of the obstacles highlighted
by SMEs in this respect. Similarly, a lack of knowledge and experience of the subject
means that a large percentage of the companies that adopt continuity measures decide to
resort to external support and assistance for some of the plan’s development phases
(42.4%).

What are the reasons behind the implementation of business continuity plans?

It is also important to be aware of the reasons why organisations become involved in

continuity. Although guaranteeing the availability of business operations is one of the main
objectives pursued in the development of continuity plans, strategic arguments such as
“improving the company’s reputation and public image” or “gaining a competitive edge”
are gradually becoming more important.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 13 of 21
Information Security Watchdog
 Graphic 9: Main reasons for the implementation of business continuity plans

Guarantee the availability of business operation in the

2,7%5,6% 13,9% 73,1%
event of crisis 4,7%
Reputation and protection of the company's public
10,6% 9,2% 9,3% 29,7% 41,1%
image
Competitive advantage over other market competitors 23,6% 14,5% 7,4% 23,1% 31,4%

Customer requirements 13,5% 14,5% 13,8% 28,3% 30,0%

In response to an internal/external audit requirement 35,1% 8,3% 14,5% 15,2% 26,9%

Compliance with regulatory/legal requirements 10,7% 20,6% 16,3% 26,6% 25,8%

Alignment with the main industry security standards 17,4% 23,1% 15,5% 26,3% 17,8%

Previous interruptions to business operations 26,8% 16,2% 19,9% 22,2% 14,8%

In the event of possible pandemics (swine flu) 57,7% 28,9% 3,5% 8,9%1,0%

Other 2,6% 23,3% 2,4%11,8% 59,9%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

(1) Not at all important (2) Not very important (3) Important (4) Quite important (5) Very important

Base: SMEs with a strategy (n=199) Source: INTECO

What are the reasons for SMEs’ lack of business continuity measures?

Certain conclusions can be drawn from an analysis of the reasons put forward by SMEs
for not having business continuity measures (see Graphic 10):

• Approximately half of Spanish small and micro-companies lack the necessary

awareness and training to understand how vital it is for their organisation to have the
means to respond to serious situations. They believe that the probability of these
situations occurring is so low that it is not worth investing in measures and prefer to
assume the risk (19.1%). Another 14.2% believe that it is an unnecessary expense
given the cost of implementation.

In short, they have an incorrect perception of the risks or threats to which they may be
subject and of the likelihood of a contingency arising which, if it is not dealt with in
time, could become a serious issue.

• Lack of funds and budgetary resources to cover the necessary measures (15.1%).

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 14 of 21
Information Security Watchdog
 Graphic 10: Reasons why companies do not implement continuity plans

I believe the possibility of a crisis/disaster occuring is

19,1%
very small
I do not have trained staff or sufficient time 16,7%

Insufficient budget 15,1%

It is an unnecessary expense give the implementation

14,2%
costs
I have other more urgent security weaknesses 7,7%

Lack of support from the company (from the business,

1,2%
management or employees)
Lack of support from the business lines 0,2%

Lack of visibility and leadership within the organisation 0,1%

Other 10,0%

Don't know/No answer 12,5%

0% 20% 40% 60% 80% 100%

Base: SMEs that do not have strategies (n=201) Source: INTECO

What is the demand for external advisory services for the development of business
continuity strategies?

As shown by the study, it must be remembered that the majority of the companies taking
part have neither the knowledge nor necessary experience to deal with processes of this
nature, nor the objectivity and independence required to identify the company’s critical
resources and processes.

Accordingly, nearly half of the SMEs (44.4%) that have undertaken business continuity
programmes have needed external advisory services (see Graphic 11).

Conversely, 49.2% have their own technical resources, knowledge, etc. to tackle the
response actions to be implemented in the event of an interruption to services.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 15 of 21
Information Security Watchdog
 Graphic 11: Companies that required external advisory services to deal with business
continuity programmes (%)

6,4%

44,4%

49,2%

Yes No Don't know/No answer

Base: SMEs with strategies (n=199) Source: INTECO

2.4 Comparative analysis of the management of business continuity in Spanish

companies according to size

Unlike SMEs, large Spanish companies have more means, more resources and, above
all, a greater level of awareness to comprehend that the adoption of business continuity
plans is critical for an organisation.

Indeed, as Graphic 12 shows, 81.1% of large companies have implemented business

continuity plans (compared to 38.4% of SMEs that have undertaken come kind of initiative
in this regard). Furthermore, most large companies have more staff to manage these
plans who, in most instances, work full-time in this area.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 16 of 21
Information Security Watchdog
 Graphic 12: Comparison of the level of business continuity plan implementation

100%

81,1%
80%

60% 57,3%

38,4%
40%

18,9%
20%

4,3%
0,0%
0%
Yes No Don't know/No answer

SME Large company

Base: total SMEs (n=400) and large companies (n=253) Source: INTECO

The situation of SMEs is drastically different as they must focus on day-to-day production
and so the task of keeping their business activity ‘afloat’ and surviving in the business
world becomes their main goal. This prioritisation of objectives means that other important
matters, such as continuity management, are forgotten or, at least, take a back seat.

2.5 Business continuity best practices

Part of this study focussed on SMEs which do currently have some form of successfully
defined continuity strategy or plan. The 29 organisations chosen as a sample in this
section were asked about any key factors or good practices that they had to develop in
order to effectively implement their measures and the benefits linked to their
implementation.

In line with the main standards in the field, SMEs concur that the following are good
practices that aid the development of continuity measures from a strategic, tactical and
operational standpoint:

• The support and commitment of management.

• A preliminary analysis of the risks affecting the company.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 17 of 21
Information Security Watchdog
• Definition of the critical systems and applications within the scope.

• The use of external advisory services.

• The acquisition of appropriate software and hardware.

• Periodic assessment of the effectiveness and performance of the measures

implemented.

According to statements by these organisations, adoption of these best practices

facilitates efficient implementation of a continuity policy and, consequently, results in
benefits such as reducing response times in crisis situations or controlling potential
financial and operational impacts.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 18 of 21
Information Security Watchdog
CONCLUSIONS AND RECOMMENDATIONS

There is a general lack of awareness amongst Spanish SMEs of the multitude of risks
they face, the probability that they will occur and the consequences that they can cause.

This mistaken view of the risks leads companies to unwittingly accept them and adopt a
predominantly reactive position, i.e. only when they suffer serious security incidents do
they show an interest and become willing to improve the resistance of their operations.

In this situation, there is a clear need for business continuity plans in order to minimise the
impact of serious disruptions to business operations.

The adoption of these measures comes up against three main obstacles:

• Efforts focused on day-to-day management highlight a lack of resources.

• The cost/benefit ratio does not appear to be favourable to the business owner. The
mistaken opinion that ‘nothing ever happens’ leads to the idea that continuity is an
unnecessary expense.

• Lack of knowledge and the need to use external specialists to advise on the
implementation of measures result in increased costs.

In light of this, a specific boost needs to be given to the introduction of support services for
the implementation of business continuity plans for SMEs, including, for example:

• Training aimed at creating interest and concern at SMEs and knowledge of the risks
they face.

• An SME-specific service offering covering all the areas of the business continuity plan
(technology, operations, management, financial, legal and logistics services, etc.).

• Greater awareness and effective tools enabling SMEs to calculate the cost/benefit
ratio in order to better prioritise available resources and determine investments.

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 19 of 21
Information Security Watchdog
INDEX OF GRAPHICS

Graphic 1: Security incidents affecting SMEs in the last three months ............................... 6

Graphic 2: Reasons for security incidents (%)..................................................................... 7

Graphic 3: Security measures aimed at guaranteeing the continuity of operations............. 8

Graphic 4: Companies demanding some form of evidence/certificate/measures/plans

guaranteeing the continuity of their suppliers’ services in the event of a disaster ............... 9

Graphic 5: Companies carrying out some kind of action aimed at addressing continuity
risks (%) .............................................................................................................................10

Graphic 6: Maximum time for business activity interruption at SMEs ................................ 11

Graphic 7: Companies familiar with business continuity concepts (%) .............................. 12

Graphic 8: Companies with some form of business continuity strategy (%) ...................... 13

Graphic 9: Main reasons for the implementation of business continuity plans .................. 14

Graphic 10: Reasons why companies do not implement continuity plans ......................... 15

Graphic 11: Companies that required external advisory services to deal with business
continuity programmes (%) ................................................................................................ 16

Graphic 12: Comparison of the level of business continuity plan implementation ............. 17

Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 20 of 21
Information Security Watchdog
 www.inteco.es
www.deloitte.es
http://observatorio.inteco.es